EU-US Privacy Shield: recorded Webinar and what to expect from the death of Safe Harbor

On Tuesday 2 February, less than 24 hours after a tentative update to the European Parliament's LIBE committee, the European Commission announced that a political agreement had been reached on the replacement for Safe Harbor. Negotiators had been racing to meet a deadline set by the Article 29 Working Party, who met with Commissioner Jourova yesterday to discuss the proposal and agree a joint compliance response to the Schrems judgment. In a live press conference, Working Party Chair Isabelle Falque-Pierrotin confirmed that regulators would continue to permit transfers to the US based on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) but warned that transfers still reliant on Safe Harbor were now illegal.

Experts from a number of Bird & Bird offices provided a second webinar on Wednesday 3 February to analyse the Privacy Shield and announcements, and answer a number of questions on how businesses should react. This has been recorded and is available at the link below.

Background

In October 2015, the CJEU ruled in case C-362/14 Schrems v Data Protection Commissioner that the EU Commission's Safe Harbor decision was invalid. For a full summary of the facts and an analysis of that judgment, please see our bulletin here. Later that month, the Article 29 Working Party - comprised of representatives of Member State DPAs, the European Data Protection Supervisor and the European Commission - issued a non-binding press release on the implications of the judgment. This press release gave the Commission and US until the end of January to find an appropriate solution, warning that failure to resolve issues raised in the judgment on the wider state of US law and practice would result in Working Party consideration of the validity of all transfers to the US (including transfers under SCCs and BCRs). The Working Party were due to discuss the validity of US transfers under SCCs and BCRs in their meeting on 2-3 February 2015.

What has been announced?

The Commission announced that a political agreement had been reached between Commissioner Jourova and the US Secretary of Commerce, Penny Pritzker. Some details of this agreement were released in a high-level press release, with limited further detail provided by the Commissioner in her presentation to the LIBE Committee on Monday and her press conference on Tuesday. A summary of what we know of the proposal, titled the "EU-US Privacy Shield", is set out below.

The Article 29 Working Party have reacted to the Commission proposal by delaying their discussion on transfers to the US under SCCs and BCRs until they have been given more detail on the new framework. The Working Party has set a new three week deadline to receive final drafts, allowing them to work towards a final decision on US transfers under the framework, SCCs and BCRs by mid-late April 2016. They have agreed that transfers to the US under SCCs and BCRs will remain valid until then, and have set out the four "guarantees" that must be met.

What does this mean for data transfers to the US now and in the future? Will there now be enforcement action?

Safe Harbor is conclusively dead – Isabelle Falque-Pierrotin was categorical in her press conference that transfers still basing their adequacy on Safe Harbor were illegal. Some jurisdictions may now see enforcement action where companies have taken no action, particularly if complaints are received, although it was clear that enforcement was an area of little agreement between DPAs. Although some DPAs had indicated that SCCs and BCRs were no longer acceptable for US transfers, they are expected to withhold action in this area until the Working Party meet to discuss the Commission proposal.

What should my company do now?

Companies that have held back on changing their international transfer approach in hope of a quick "Safe Harbor 2.0" fix should now give serious thought to signing SCCs or adopting BCRs – albeit that these are not guaranteed to survive Working Party scrutiny in the spring. The other practical alternative is the relocation of services – a number of large cloud providers have hastened moves to provide EU located servers and support. Realistically, the Privacy Shield is unlikely to be available before the summer even assuming a smooth adoption. Consent will not be a viable option for regular and systematic transfers, and was not mentioned as a viable alternative during the Working Party press conference.

When might we know more?

The Working Party has set a deadline of three weeks for the Commission to provide it with final drafts for evaluation. We can hope for more concrete details of proposals to be published or leaked at this time. The Commissioner also explained that additional groundwork would be needed in the US to put in place safeguards agreed in negotiations. More details of those changes may appear in due course.

Will the Privacy Shield be accepted by regulators and privacy activists?

A number of LIBE Committee members reacted with hostility to the initial announcements, and the lack of detail about the proposals provided thus far means it is impossible to predict whether the Working Party will accept the Privacy Shield, or allow the continuation of US transfers under SCCs and BCRs. The Working Party has announced the four "guarantees" it will assess against, namely:

Data processing must be based on clear, precise and accessible rules

The objectives pursued must be necessary and proportionate

An independent and effective oversight mechanism must exist

Effective remedies must be available to the individual

What does seem clear is that the Privacy Shield will be subject to prompt legal challenge if implemented.

Will transfers to countries other than the US be affected?

The Working Party has indicated that these four "guarantees" can and should be applied to intelligence and security activities of any nation – however, there is currently no suggestion that the practices of other countries will be measured against these standards in the near future.

What do we know about the new framework?

The new "EU-US Privacy Shield" seeks to address key findings of the CJEU judgment by implementing:

US companies seeking to join the regime must commit to robust, EU data protection obligations – including the need to accommodate individuals' rights.

The Department of Commerce will monitor that companies publish their commitments openly, which will allow these to be enforceable under US law by the US Federal Trade Commission.

Compliance with these commitments may be monitored by the FTC, and companies may be ejected from the regime if they do not comply. Commission comments suggested that other strong sanctions may also be introduced.

There will be stricter rules on onward transfers from US participants.

The Commissioner indicated that the framework will be GDPR ready, and should not require any adjustment once this comes into force.

"Clear safeguards and transparency obligations on US government access"

The EC's press release states that the US has reviewed its procedures and "for the first time…has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms".

No formal legal change is required under US law, and assurances will instead be based on letters from the US administration rather than any formalised legislation. Whether or not this will be sufficient to meet the CJEU's requirements in Schrems remains to be seen – LIBE Committee members were particularly sceptical.

The Commission has promised that suspension mechanisms will ensure that the US cannot back away from its commitments.

Surveillance must be used only to the extent "necessary and proportionate" – these concepts were not more concretely defined, although the Commission has indicated that US negotiators have provided further detail on this. The US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement.

There will be an annual joint review of this "living arrangement", which will also address the issue of national security access. The European Commission and US authorities will conduct the review and produce a report, which will also involve companies being required to disclose how many access requests they have received from security services. EU DPAs and national intelligence experts will also be invited to participate in this review.

"Effective protection of EU citizens' rights with several redress possibilities"

Any citizen who considers that their data has been misused under the new arrangement will have several, affordable redress mechanisms.

Companies will be required to handle complaints in the first instance, with deadlines for providing a response to individual complaints.

Where complaints are not resolved at this stage, European DPAs will be able to refer unresolved complaints to the FTC. There will be a free alternative dispute resolution mechanism, which may involve the DPAs and FTC.

An "arbitration" mechanism will operate as a last resort where the FTC has not pursued an individual's case.

For complaints on possible access by national intelligence authorities, a new special ombudsman will be created in the State Department. This will be independent of security services but have clearance to review security issues on the referral of EU DPAs. Its exact operation and rules of procedure are not yet known.